Need Assistance?

Newsletter

For a Free Quote...

LANforge WiFi AP And Stations With HS20 And EAP-AKA

Goal: Use LANforge to create AP, RADIUS server, and Station that supports HotSpot 2.0 (HS20) and EAP-AKA authentication.

Requires LANforge 5.2.11 or later. Create a Virtual AP configured for HotSpot 2.0 and RADIUS (802.1x) authentication. Create second dummy AP to act as RADIUS server. Configure back-end tools authenticate EAP-AKA. Create and configure LANforge WiFi station to test authentication. This example uses two LANforge CT520 systems but the procedure should work on all CT520, CT521, CT523 and CT525 systems. Information here should be useful for non-LANforge users creating their own AP using the hostapd program.

This example uses LANforge for all components, so it is both the test gear and the system under test. This cookbook is primarily intended to record information on how to set up various components of an HS20 EAP-AKA network for demo purposes. Users may choose to implement sub-sections of this cookbook and replace others with third-party APs, RADIUS servers, etc.

B. The new VAP should appear in the Port-Mgr table. Double-click to modify. Configure IP Address information, SSID and select WPA2:

C. Select the Advanced Configuration tab in the Port-Modify window and configure the 802.1x, 802.11u, HotSpot 2.0, RADIUS and other information. Note that the 3GPP Cell Net entry must coorespond to the IMSI we enter as the station's identity and the IMSI information in the hlr_auc_gw config file:

D. Use Netsmith to create Virtual-Router. Add the vapX interface to the Virtual router, configure the Virtual Router port object to serve DHCP. Optionally, add external Ethernet interface to virtual router so that it can route to upstream networks. You could also set up the VAP in bridge mode and use external DHCP server if preferred.

E. For those doing this manually, the hostapd.conf file looks like this:

E. Create RADIUS client authentication file on the LANforge machine called */etc/hostapd.radius_clients* with contents similar to:

192.168.100.0/24 lanforge127.0.0.1/24 lanforge

3. Configure back-end authenticator for EAP-AKA.

A. On the LANforge machine, use your favorite editor to create the file */etc/hlr_auc_gw.milenage*It should have contents similar to:

# Parameters for Milenage (Example algorithms for AKA).# The example Ki, OPc, and AMF values here are from 3GPP TS 35.208 v6.0.0# 4.3.20 Test Set 20. SQN is the last used SQN value.# These values can be used for both UMTS (EAP-AKA) and GSM (EAP-SIM)# authentication. In case of GSM/EAP-SIM, AMF and SQN values are not used, but# dummy values will need to be included in this file.# IMSI Ki OPc AMF SQN232010000000000 90dca4eda45b53cf0f12d7c9c3bc6a89 cb9cccc4b9258e6dca4760379fb82581 61df 000000000000

# These values are from Test Set 19 which has the AMF separation bit set to 1# and as such, is suitable for EAP-AKA' test.555444333222111 5122250214c33e723a5dd523fc145fc0 981d464c7c52eb6e5036234984ad0bcf c3ab 16f3b3f70fc1

B. The new Station should appear in the Port-Mgr table. Double-click to modify. Set the SSID to [BLANK], and Select WPA2. The SSID and Key/Password do not need to be configured when using HotSpot 2.0:

C. Select the Advanced Configuration tab in the Port-Modify window and configure the 802.1x, 802.11u, HotSpot 2.0 and other information. The EAP Identity and EAP Password must match the configuration on your RADIUS server, and in this case, that means it must match the hlr_auc_gw configuration we entered earlier. The HS20 Realm and Domain should be configured to match the HS20 AP.

D. Verify Station connects to the AP and obtains DHCP IP Address configuration. If it does not work, look at the Station's supplicant logs, the AP logs, the RADIUS server logs, and the hlr_auc_gw logs.

E. For those doing this manually, the wpa_supplicant.conf file looks like this: